ssl_mode="REQUIRED" disables verification of the server certificate by default.

methane · methane · commit 9028b459d30e · 2024-11-06T18:14:01.000+09:00
mariadb connector/c changed the default value of MYSQL_OPT_SSL_VERIFY_SERVER_CERT to 1.
this change makes it can be disabled by ssl_mode="DISABLED", "PREFERRED", and "REQUIRED".
diff --git a/src/MySQLdb/_mysql.c b/src/MySQLdb/_mysql.c
@@ -558,6 +558,13 @@ _mysql_ConnectionObject_Initialize(
         if (ssl_mode_num >= SSLMODE_VERIFY_CA) {
             mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&enforce_tls);
         }
+        else {
+            // mariadb-connector-c changed the default value of MYSQL_OPT_SSL_VERIFY_SERVER_CERT to 1.
+            // https://github.com/mariadb-corporation/mariadb-connector-c/commit/8dffd56936df3d03eeccf47904773860a0cdeb57
+            // for users don't want to verify the server certificate, we provide an option to disable it.
+            my_bool my_false = 0;
+            mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&my_false);
+        }
 #endif
     }
 

Original file line number	Diff line number	Diff line change
`@@ -558,6 +558,13 @@ _mysql_ConnectionObject_Initialize(`
`558`	`558`	`if (ssl_mode_num >= SSLMODE_VERIFY_CA) {`
`559`	`559`	`mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&enforce_tls);`
`560`	`560`	`}`
	`561`	`+ else {`
	`562`	`+ // mariadb-connector-c changed the default value of MYSQL_OPT_SSL_VERIFY_SERVER_CERT to 1.`
	`563`	`+ // https://github.com/mariadb-corporation/mariadb-connector-c/commit/8dffd56936df3d03eeccf47904773860a0cdeb57`
	`564`	`+ // for users don't want to verify the server certificate, we provide an option to disable it.`
	`565`	`+ my_bool my_false = 0;`
	`566`	`+ mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&my_false);`
	`567`	`+ }`
`561`	`568`	`#endif`
`562`	`569`	`}`
`563`	`570`